Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts Darkweb Data Breaches

Cyble Vision Alerts Darkweb Data Breaches

Back
Id588a2ee5-978a-43f7-9c10-6d76d82026ef
RulenameCyble Vision Alerts Darkweb Data Breaches
DescriptionDetects darkweb credential leakage and data breach records from CybleVision. Extracts leaked username, email, password hashes, registration dates, and metadata using the Alerts_DarkwebDataBreaches parser. Incidents grouped per service.
SeverityLow
TacticsReconnaissance
InitialAccess
Exfiltration
Collection
TechniquesT1589
T1078
T1048
T1530
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Darkweb_Data_Breaches.yaml
Version1.0.0
Arm template588a2ee5-978a-43f7-9c10-6d76d82026ef.json
Deploy To Azure
Alerts_darkweb_data_breaches 
| where Service == "darkweb_data_breaches" 
| extend  MappedSeverity = Severity

triggerOperator: GreaterThan
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
  createIncident: true
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
relevantTechniques:
- T1589
- T1078
- T1048
- T1530
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: DB_Username
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Domain
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IP
- entityType: Mailbox
  fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: DB_Email
query: |
  Alerts_darkweb_data_breaches 
  | where Service == "darkweb_data_breaches" 
  | extend  MappedSeverity = Severity  
triggerThreshold: 0
customDetails:
  Service: Service
  UserName: DB_Username
  BreachSource: Breach_Source
  LeakedEmail: DB_Email
  RegistrationDate: DB_RegistrationDate
  PasswordHash: DB_PasswordHash
  MappedSeverity: Severity
  S3Key: DB_S3Key
  Status: Status
  BreachDate: DB_Date
  Tags: DB_Tags
  Structured: DB_Structured
  DisplayName: DB_DisplayName
  AlertID: AlertID
alertDetailsOverride:
  alertDynamicProperties: []
  alertDisplayNameFormat: CybleVision Darkweb Breach for {{DB_Email}}
  alertDescriptionFormat: |
        Username {{DB_Username}} Registration date {{DB_RegistrationDate}} Breach source {{Breach_Source}}
subTechniques: []
queryPeriod: 30m
tactics:
- Reconnaissance
- InitialAccess
- Exfiltration
- Collection
name: Cyble Vision Alerts Darkweb Data Breaches
description: |
    'Detects darkweb credential leakage and data breach records from CybleVision. Extracts leaked username, email, password hashes, registration dates, and metadata using the Alerts_DarkwebDataBreaches parser. Incidents grouped per service.'
kind: Scheduled
enabled: true
id: 588a2ee5-978a-43f7-9c10-6d76d82026ef
version: 1.0.0
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 30m
severity: Low
status: Available
suppressionDuration: PT5H
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Darkweb_Data_Breaches.yaml